Friday, August 14, 2015

Snort Subscriber Rule Set License 3.1

Some of you may have noticed, upon sign in on Snort.org, you are being asked re-agree to the Snort Subscriber Rule Set license. To make sure everyone is aware, I wanted to make sure I put out a blog post about the reset and highlight the changes that are being made to the Subscriber and Registered Rule Sets, and be as open as I can to answer any questions you may have.

"1.5. “Limited Ruleset” means those Rules that have been expressly designated by Cisco Talos as “Limited Ruleset”, and are tagged or otherwise identified as “ruleset limited” in the ruleset."

The second is in paragraph 2.1:

"Notwithstanding the foregoing, under no circumstances may You distribute the Limited Ruleset, or any portion thereof, to a Registered User or to any third party or otherwise make the Limited Ruleset available to any third party or allow a third party to use the Limited Ruleset."

The third is in paragraph 2.2:

"Notwithstanding the foregoing, as a Registered User, You have no right or license under this Agreement to use, transfer, Modify, distribute, copy or reproduce the Limited Ruleset, or any portion thereof."

Let me break this down slightly easier, in plain english.

In upcoming weeks we will begin distributing detection and prevention to a completely new set of exploits and vulnerabilities. The detection and prevention against these vulnerabilities (almost exclusively "zero day" type vulnerabilities) is going to be built and shipped, not only in our Shared Object rule format in a protected fashion, but will also only be made available to subscribers to the rule set as well as to Cisco FirePOWER customers.

To date, all content that has ever been in the subscriber ruleset, after 30 days, has been made available for free to the registered rule set. That practice will still continue, except those things that are tagged "ruleset limited" in the metadata of the rule. The rules, tagged in that fashion, again, will only be made available to subscribers, and we currently have no plans to make it available to registered users. We currently have no plans of expanding the "limited" ruleset beyond this new set of exploits and vulnerabilities.

The VAST majority of our detection will remain exactly the way it has been for years. Built and distributed to subscribers on the day it is released, then released 30 days later to registered users.

This offering is not only to provide detection for a new set of vulnerabilities and exploits to our customers, but also to add value to the Subscriber Rule Set, as to date, the only difference has been essentially, the release date.

A few questions you may have:

What do I have to do, if I am subscriber, to take advantage of this new detection coming?
Nothing. It will be built into your ruleset. If you are using pulledpork, or a custom method, to download, install, and use our Shared Object rules, then you are already good to go.

What do I have to do, if I am a registered user, and I don't want this new content?
Nothing. You will continue to receive 30 day delayed content from the Snort Subscriber Rule Set, for free, without this new "limited" ruleset.

What do I have to do, if I am a registered user, and I do want this new content?Subscribe. As a reminder, the personal subscription is for home/educational use only, business subscribers have a flat rate of 399 a sensor to subscribe. The easiest way to subscribe is via credit card, directly on Snort.org, which renews itself annually so you don't miss coverage.

What do I have to do, if I am a Snort Integrator, and I want to distribute this new content?
Nothing. It will be built into your integrator offering already, you may re-distribute this content to your clients pursuant to the Integrator license you agreed to on Snort.org, or signed, when you became an Integrator. As long as you are in good standing with us, you receive the content as part of your package.

What do I need to do, if I want to become a Snort Integrator, and redistribute the ruleset?Start here first. For those of you that are not Integrators, want to be, or used to be, you'll notice that we have eliminated the "minimum fee" we used to charge against all Integrators, and now your fee is solely based on royalty usage.

Will I be able to read the content of the rules?
Unfortunately no, we must distribute this detection in our protected Shared Object format. (Not all Shared Object rule content is protected.)

This new content is offered to all personal, business, and Integrator subscribers of the Snort Subscriber Rule Set at no additional fee, we also have no plans of increasing the price of the ruleset, and have fought hard to keep the price the same.